Document Comparison
SPoC_Technical_FAQs_v1.9_.pdf
→
SPoC_Technical_FAQs_v1.10_.pdf
89% similar
20 → 20
Pages
7613 → 7718
Words
21
Content Changes
Content Changes
21 content changes. 20 administrative changes (dates, page numbers) hidden.
Added
p. 13
Q 28 [July 2024] Can a Mobile Device Management (MDM) solution be used as an ‘OS- store’ for the distribution of a PIN CVM application? Is additional testing required in such a case? A Yes. An MDM system may be used for the distribution of a PIN CVM application, instead of the official OS store, if the requirements of TR B6 have been validated as part of the Solution listing.
Added
p. 15
Q 34 [June 2022] Does compliance with the Unsupported OS Annex require that every CVE for all platforms within the SPoC Solution baseline are individually reviewed, categorized, and mitigated by the SPoC Solution provider? A No. The SPoC Unsupported OS Annex requires that there is a robust and mature vulnerability management and mitigation program in effect. The intent of this program is to ensure that vulnerabilities affecting older platforms which may remain unpatched by the platform vendor are mitigated by the security features of the SPoC Solution, such as through the Attestation and Monitoring systems. Compliance with the Unsupported OS Annex requires both threat detection and mitigation (requirement 2) and vulnerability detection and mitigation (requirement 3). This may include detailed review of each CVE for all supported platforms (in addition to other measures to identify unknown vulnerabilities), or it may instead be implemented through a combination of focused review of …
Added
p. 18
Q 41 When does SPoC Standard v1.1 become effective? A SPoC Standard v1.1 (and SPoC Program Guide v1.2) is effective immediately upon publication and becomes mandatory for all new SPoC solution evaluations. In process evaluations can be completed using SPoC Standard v1.0. PCI SSC must be notified in writing by each SPoC lab of the specific SPoC solution they have under evaluation. The final laboratory evaluation reports must be received by PCI no later than sixty calendar days after the SPoC Standard and the associated SPoC Program Guide publication date.
Modified
p. 13
Q 28 [December 2021] What is expected from SPoC labs regarding physical and logical testing of the COTS devices? A While there is no expectation to perform physical or logical testing of a COTS device itself, SPoC labs must confirm whether COTS platforms included in the COTS system baseline have known characteristics, such as physical test, debug, or in-circuit emulation features. For example, some Android mobile devices have an NFC logging service, which is intended to be used for debugging …
Q 29 [December 2021] What is expected from SPoC labs regarding physical and logical testing of the COTS devices? A While there is no expectation to perform physical or logical testing of a COTS device itself, SPoC labs must confirm whether COTS platforms included in the COTS system baseline have known characteristics, such as physical test, debug, or in-circuit emulation features. For example, some Android mobile devices have an NFC logging service, which is intended to be used for debugging …
Modified
p. 13
Q 29 [December 2021] Can back-end attestation and monitoring systems be hosted in multiple environments by more than one entity? A Yes. For each environment that is hosting attestation and monitoring systems, the SPoC solution provider is expected to do either: 1) Provide an Attestation of Compliance (AOC) that has been completed and signed within the previous 12 months demonstrating that the environment complies with the PCI DSS, including the additional controls outlined in PCI DSS Appendix A3 DESV, or; …
Q 30 [December 2021] Can back-end attestation and monitoring systems be hosted in multiple environments by more than one entity? A Yes. For each environment that is hosting attestation and monitoring systems, the SPoC solution provider is expected to do either: 1) Provide an Attestation of Compliance (AOC) that has been completed and signed within the previous 12 months demonstrating that the environment complies with the PCI DSS, including the additional controls outlined in PCI DSS Appendix A3 DESV, or; …
Modified
p. 13 → 14
Q 30 [December 2021] Does assessment of back-end systems require a physical onsite presence of the lab personnel? A SPoC solution back-end environments include back-end monitoring and attestation environment, and back-end payment processing environment. The back-end payment processing environment must be compliant with PCI Data Security Standard and PCI PIN Security Requirements, as applicable, and whether remote assessment methods are acceptable is defined by the compliance-accepting entities.
Q 31 [December 2021] Does assessment of back-end systems require a physical onsite presence of the lab personnel? A SPoC solution back-end environments include back-end monitoring and attestation environment, and back-end payment processing environment. The back-end payment processing environment must be compliant with PCI Data Security Standard and PCI PIN Security Requirements, as applicable, and whether remote assessment methods are acceptable is defined by the compliance-accepting entities.
Modified
p. 14
Q 31 When does the SPoC Unsupported OS Annex apply? A The security objectives outlined in the SPoC Unsupported OS Annex are optional, and the security controls are required only for solutions that include unsupported OSes in their COTS system baseline. For example, a solution provider may decide to include an unsupported COTS OS in the COTS system baseline of its initial evaluation, or to retain a previously supported COTS OS that became unsupported during the annual checkpoint.
Q 32 When does the SPoC Unsupported OS Annex apply? A The security objectives outlined in the SPoC Unsupported OS Annex are optional, and the security controls are required only for solutions that include unsupported OSes in their COTS system baseline. For example, a solution provider may decide to include an unsupported COTS OS in the COTS system baseline of its initial evaluation, or to retain a previously supported COTS OS that became unsupported during the annual checkpoint.
Modified
p. 14
Q 32 Can an “objective-based” approach be used for security requirements and test requirements in the SPoC Standard? A The objective-based approach is intended only for evaluating security controls and processes implemented by an SPoC solution provider, as outlined in the SPoC Unsupported OS Annex, to protect the integrity and confidentiality of a PIN entered on COTS devices running an unsupported operating system.
Q 33 Can an “objective-based” approach be used for security requirements and test requirements in the SPoC Standard? A The objective-based approach is intended only for evaluating security controls and processes implemented by an SPoC solution provider, as outlined in the SPoC Unsupported OS Annex, to protect the integrity and confidentiality of a PIN entered on COTS devices running an unsupported operating system.
Modified
p. 15
Q 34 Can APIs (i.e., software libraries allowing third parties to interface with the SPoC solution) be validated and listed as part of an SPoC solution? A Yes. In cases where the SPoC solution provider offers libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a SPoC Lab is required as part of each SPoC solution in which such APIs are provided in order to validate that usage of the API can be …
Q 35 Can APIs (i.e., software libraries allowing third parties to interface with the SPoC solution) be validated and listed as part of an SPoC solution? A Yes. In cases where the SPoC solution provider offers libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a SPoC Lab is required as part of each SPoC solution in which such APIs are provided in order to validate that usage of the API can be …
Modified
p. 15 → 16
Q 35 What is expected from an SPoC lab when evaluating an SPoC solution that offers APIs or software libraries to allow third-party developers to interface with the SPoC solution? A The evaluation and validation of the APIs (together with the SPoC user guidance document described and defined in the SPoC Program Guide) by an SPoC lab are required as part of each SPoC solution in which such libraries or APIs are provided. It is expected the SPoC lab validates …
Q 36 What is expected from an SPoC lab when evaluating an SPoC solution that offers APIs or software libraries to allow third-party developers to interface with the SPoC solution? A The evaluation and validation of the APIs (together with the SPoC user guidance document described and defined in the SPoC Program Guide) by an SPoC lab are required as part of each SPoC solution in which such libraries or APIs are provided. It is expected the SPoC lab validates …
Modified
p. 16
Q 36 What API or software library implementation options can be supported by the SPoC solution? A Whether an implementation of an API or a software library can be supported by the SPoC Program depends largely on whether an SPoC lab can validate the exposed API or a library to SPoC Security Requirements and SPoC Test Requirements.
Q 37 What API or software library implementation options can be supported by the SPoC solution? A Whether an implementation of an API or a software library can be supported by the SPoC Program depends largely on whether an SPoC lab can validate the exposed API or a library to SPoC Security Requirements and SPoC Test Requirements.
Modified
p. 17
Q 37 Can an SPoC lab reference an approval from another PCI SSC standard, such as
Q 38 Can an SPoC lab reference an approval from another PCI SSC standard, such as
Modified
p. 17
Q 38 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one SPoC evaluation can be reused in another SPoC evaluation from the same solution provider. This situation occurs commonly when two SPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major version of …
Q 39 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one SPoC evaluation can be reused in another SPoC evaluation from the same solution provider. This situation occurs commonly when two SPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major version of …
Modified
p. 18
Q 41 How does a minor update to the SPoC Standard affect the expiry date of listed SPoC solutions? A Minor updates of the SPoC Standard (e.g., from version 1.0 to version 1.1) do not change the expiry dates for listed SPoC solutions; they remain as three years from the initial acceptance/listing date shown on the PCI SSC website.
Q 42 How does a minor update to the SPoC Standard affect the expiry date of listed SPoC solutions? A Minor updates of the SPoC Standard (e.g., from version 1.0 to version 1.1) do not change the expiry dates for listed SPoC solutions; they remain as three years from the initial acceptance/listing date shown on the PCI SSC website.
Modified
p. 18
Q 42 Can a Delta change be submitted to update a listed SPoC solution between minor versions of the SPoC Standard? A Yes, the change is submitted to an SPoC lab and it is up to the SPoC lab to determine whether the extent of the change(s) can be validated via delta evaluation. If the changes are extensive or highly impactful to the SPoC security requirements, the SPoC lab may determine that a full evaluation is required. Note that all …
Q 43 Can a Delta change be submitted to update a listed SPoC solution between minor versions of the SPoC Standard? A Yes, the change is submitted to an SPoC lab and it is up to the SPoC lab to determine whether the extent of the change(s) can be validated via delta evaluation. If the changes are extensive or highly impactful to the SPoC security requirements, the SPoC lab may determine that a full evaluation is required. Note that all …
Modified
p. 18 → 19
Q 43 Can an Administrative change be submitted to transition a listed SPoC solution from SPoC Standard? A No, Administrative changes cannot be used to transition between versions of the SPoC Standard - a full or delta change evaluation, as determined by the SPoC lab, must be performed.
Q 44 Can an Administrative change be submitted to transition a listed SPoC solution from SPoC Standard? A No, Administrative changes cannot be used to transition between versions of the SPoC Standard - a full or delta change evaluation, as determined by the SPoC lab, must be performed.
Modified
p. 18 → 19
Q 44 What happened to “Designated Change” in the SPoC Program Guide? A Designated changes have been incorporated into the delta change process in SPoC Program Guide version 1.2 to help simplify the change and listing process.
Q 45 What happened to “Designated Change” in the SPoC Program Guide? A Designated changes have been incorporated into the delta change process in SPoC Program Guide version 1.2 to help simplify the change and listing process.
Modified
p. 19
Q 45 What testing and reporting are expected to be performed by SPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the SPoC solution continues to meet the security and test requirements of the SPoC Standard. The amount of testing that is required will vary. At a minimum, however, the SPoC lab must confirm that:
Q 46 What testing and reporting are expected to be performed by SPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the SPoC solution continues to meet the security and test requirements of the SPoC Standard. The amount of testing that is required will vary. At a minimum, however, the SPoC lab must confirm that:
Modified
p. 19 → 20
Q 46 How often must an SPoC Solution’s Back-end Processing Environment undergo a A The SPoC Solution’s Back-end Processing Environment must be assessed and validated by a PCI-qualified PIN Assessor (QPA) annually (i.e., at least every 12 months). Evidence of the PIN Assessment is verified by the SPoC lab during the annual checkup.
Q 47 How often must an SPoC Solution’s Back-end Processing Environment undergo a A The SPoC Solution’s Back-end Processing Environment must be assessed and validated by a PCI-qualified PIN Assessor (QPA) annually (i.e., at least every 12 months). Evidence of the PIN Assessment is verified by the SPoC lab during the annual checkup.
Modified
p. 20
Q 47 [December 2021] Can a SPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved SPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the SPoC solution provider, through the SPoC laboratory performing the evaluation, along with the completed SPoC Evaluation Report. In addition, the SPoC lab must make a notation in the applicable field of the …
Q 48 [December 2021] Can a SPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved SPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the SPoC solution provider, through the SPoC laboratory performing the evaluation, along with the completed SPoC Evaluation Report. In addition, the SPoC lab must make a notation in the applicable field of the …
Modified
p. 20
Q 48 [June 2022] Can a SPoC solution be submitted using an SCRP that is part of a delayed listing, and not yet live on the PCI website? Can the listing of this SPoC solution also be delayed? A Yes, a SPoC evaluation report can include a delayed SCRP listing that is not yet live on the PCI website, and the listing of that SPoC Solution may also be delayed by up to 6 months from the date of Acceptance …
Q 49 [June 2022] Can a SPoC solution be submitted using an SCRP that is part of a delayed listing, and not yet live on the PCI website? Can the listing of this SPoC solution also be delayed? A Yes, a SPoC evaluation report can include a delayed SCRP listing that is not yet live on the PCI website, and the listing of that SPoC Solution may also be delayed by up to 6 months from the date of Acceptance …